From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 7 Jul 2025 21:22:47 +0000 (-0400)
Subject: Avoid large numbers of refresh_time cache entries
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=a656a739721868d6b271c73a0e2785de687c3bc5;p=thirdparty%2Fkrb5.git

Avoid large numbers of refresh_time cache entries

Commit 729896467e3c77904666019d6cbbda583ae49b95 amended
kg_cred_time_to_refresh() to attempt a refresh from a client keytab
when creds are close to expiration, even if no refresh_time config
entry is set (as would be the case if the creds were acquired from a
client keytab in the first place).  The added conditional sets a
refresh_time config entry, which is unhelpful as it has no
corresponding check for one.  kg_cred_time_to_refresh() is called
before can_get_initial_creds(), so we add a config entry on every
acquire_cred call when the creds are expired or close to expired, even
with no accessible keytab.  Remove the set_refresh_time() call to
avoid this inefficient behavior.

ticket: 9179 (new)
tags: pullup
target_version: 1.22-next
---

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index d49ad07ea4..aa1a486dca 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -546,8 +546,7 @@ set_refresh_time(krb5_context context, krb5_ccache ccache,
     krb5_clear_error_message(context);
 }
 
-/* Return true if it's time to refresh cred from the client keytab.  If
- * returning true, avoid retrying for 30 seconds. */
+/* Return true if it's time to refresh cred from the client keytab. */
 krb5_boolean
 kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
 {
@@ -556,17 +555,18 @@ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred)
     if (krb5_timeofday(context, &now))
         return FALSE;
     soon = ts_incr(now, 30);
+
+    /* If a refresh time is set and has elapsed, attempt a refresh, and set a
+     * new refresh time to avoid retrying for 30 seconds. */
     if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) {
         set_refresh_time(context, cred->ccache, soon);
         return TRUE;
     }
 
-    /* If the creds will expire soon, try to refresh even if they weren't
+    /* If the creds will expire soon, attempt a refresh even if they weren't
      * acquired with a client keytab. */
-    if (ts_after(soon, cred->expire)) {
-        set_refresh_time(context, cred->ccache, soon);
+    if (ts_after(soon, cred->expire))
         return TRUE;
-    }
 
     return FALSE;
 }